Update Flyte provisioning (#206)

* update flyte bucket policies * add roles for flyte * add flyte roles names to irsa vars * add back default value for flyte * register flyte outputs * fix typo in dataplane role name * update flyte outputs, add account_id * update regex * update regex to pass ci * add newline at the end of the file
dominodatalab · Feb 2, 2024 · e7a2295 · e7a2295
1 parent a5d1971
commit e7a2295
Show file tree

Hide file tree

Showing 9 changed files with 96 additions and 75 deletions.
diff --git a/modules/eks/README.md b/modules/eks/README.md
@@ -52,6 +52,7 @@
 | [terraform_data.run_k8s_pre_setup](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.aws_eks_provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.cluster_aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eks_addon_version.default_vpc_cni](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_addon_version) | data source |
 | [aws_iam_policy_document.autoscaler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.custom_eks_node_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

diff --git a/modules/eks/cluster.tf b/modules/eks/cluster.tf
@@ -31,6 +31,10 @@ resource "aws_cloudwatch_log_group" "eks_cluster" {
   retention_in_days = 365
 }
 
+data "aws_caller_identity" "cluster_aws_account" {
+  provider = aws.eks
+}
+
 resource "aws_eks_cluster" "this" {
   provider = aws.eks
 

diff --git a/modules/eks/main.tf b/modules/eks/main.tf
@@ -205,6 +205,7 @@ locals {
         endpoint                  = aws_eks_cluster.this.endpoint
         certificate_authority     = aws_eks_cluster.this.certificate_authority
         kubernetes_network_config = aws_eks_cluster.this.kubernetes_network_config
+        account_id                = data.aws_caller_identity.cluster_aws_account.account_id
       }
       addons            = var.eks.cluster_addons
       version           = aws_eks_cluster.this.version

diff --git a/modules/infra/submodules/storage/s3.tf b/modules/infra/submodules/storage/s3.tf
@@ -635,42 +635,6 @@ data "aws_iam_policy_document" "flyte_metadata" {
       identifiers = ["*"]
     }
   }
-
-  statement {
-    sid       = "DenyIncorrectEncryptionHeader"
-    effect    = "Deny"
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_metadata[0].bucket}/*"]
-    actions   = ["s3:PutObject"]
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "s3:x-amz-server-side-encryption"
-      values   = [local.s3_server_side_encryption]
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
-
-  statement {
-    sid       = "DenyUnEncryptedObjectUploads"
-    effect    = "Deny"
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_metadata[0].bucket}/*"]
-    actions   = ["s3:PutObject"]
-
-    condition {
-      test     = "Null"
-      variable = "s3:x-amz-server-side-encryption"
-      values   = ["true"]
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
 }
 
 resource "aws_s3_bucket" "flyte_data" {
@@ -704,40 +668,4 @@ data "aws_iam_policy_document" "flyte_data" {
       identifiers = ["*"]
     }
   }
-
-  statement {
-    sid       = "DenyIncorrectEncryptionHeader"
-    effect    = "Deny"
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_data[0].bucket}/*"]
-    actions   = ["s3:PutObject"]
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "s3:x-amz-server-side-encryption"
-      values   = [local.s3_server_side_encryption]
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
-
-  statement {
-    sid       = "DenyUnEncryptedObjectUploads"
-    effect    = "Deny"
-    resources = ["arn:${data.aws_partition.current.partition}:s3:::${aws_s3_bucket.flyte_data[0].bucket}/*"]
-    actions   = ["s3:PutObject"]
-
-    condition {
-      test     = "Null"
-      variable = "s3:x-amz-server-side-encryption"
-      values   = ["true"]
-    }
-
-    principals {
-      type        = "AWS"
-      identifiers = ["*"]
-    }
-  }
-}
+}
diff --git a/modules/irsa/README.md b/modules/irsa/README.md
@@ -32,9 +32,12 @@ No modules.
 | [aws_iam_policy.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.flyte_controlplane_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role.flyte_dataplane_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy_attachment.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_caller_identity.aws_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.external_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_route53_zone.hosted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
@@ -43,14 +46,16 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_irsa_configs"></a> [additional\_irsa\_configs](#input\_additional\_irsa\_configs) | Input for additional irsa configurations | <pre>list(object({<br>    name                = string<br>    namespace           = string<br>    serviceaccount_name = string<br>    policy              = string #json<br>  }))</pre> | `[]` | no |
-| <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    cluster = object({<br>      specs = object({<br>        name = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
+| <a name="input_eks_info"></a> [eks\_info](#input\_eks\_info) | cluster = {<br>      specs {<br>        name            = Cluster name.<br>        account\_id      = AWS account id where the cluster resides.<br>      }<br>      oidc = {<br>        arn = OIDC provider ARN.<br>        url = OIDC provider url.<br>        cert = {<br>          thumbprint\_list = OIDC cert thumbprints.<br>          url             = OIDC cert URL.<br>      }<br>    } | <pre>object({<br>    cluster = object({<br>      specs = object({<br>        name       = string<br>        account_id = string<br>      })<br>      oidc = object({<br>        arn = string<br>        url = string<br>        cert = object({<br>          thumbprint_list = list(string)<br>          url             = string<br>        })<br>      })<br>    })<br>  })</pre> | n/a | yes |
 | <a name="input_external_dns"></a> [external\_dns](#input\_external\_dns) | Config to enable irsa for external-dns | <pre>object({<br>    enabled             = optional(bool, false)<br>    hosted_zone_name    = optional(string, null)<br>    hosted_zone_private = optional(string, false)<br>    namespace           = optional(string, "domino-platform")<br>    serviceaccount_name = optional(string, "external-dns")<br>  })</pre> | `{}` | no |
+| <a name="input_flyte"></a> [flyte](#input\_flyte) | enabled = Whether to provision any Flyte related resources<br>    eks = {<br>      controlplane\_role = Name of control plane role to create for Flyte<br>      dataplane\_role = Name of data plane role to create for Flyte<br>    } | <pre>object({<br>    enabled = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_use_cluster_odc_idp"></a> [use\_cluster\_odc\_idp](#input\_use\_cluster\_odc\_idp) | Toogle to uset the oidc idp connector in the trust policy.<br>    Set to `true` if the cluster and the hosted zone are in different aws accounts. | `bool` | `true` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_external_dns"></a> [external\_dns](#output\_external\_dns) | External\_dns info |
+| <a name="output_flyte"></a> [flyte](#output\_flyte) | Flyte info |
 | <a name="output_roles"></a> [roles](#output\_roles) | Roles mapping info |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/irsa/flyte.tf b/modules/irsa/flyte.tf
@@ -0,0 +1,51 @@
+resource "aws_iam_role" "flyte_controlplane_role" {
+  count = var.flyte.enabled ? 1 : 0
+  name  = "${local.name_prefix}-flyte-controlplane-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_provider_arn
+        }
+        Condition : {
+          StringEquals : {
+            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
+            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+              "system:serviceaccount:flyte:flyteadmin",
+              "system:serviceaccount:flyte:datacatalog"
+            ]
+          }
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role" "flyte_dataplane_role" {
+  count = var.flyte.enabled ? 1 : 0
+  name  = "${local.name_prefix}-flyte-dataplane-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Principal = {
+          Federated = local.oidc_provider_arn
+        }
+        Condition : {
+          StringEquals : {
+            "${trimprefix(local.oidc_provider_url, "https://")}:aud" : "sts.amazonaws.com",
+            "${trimprefix(local.oidc_provider_url, "https://")}:sub" : [
+              "system:serviceaccount:flyte:flytepropeller",
+              "system:serviceaccount:*:default"
+            ]
+          }
+        }
+      },
+    ]
+  })
+}
diff --git a/modules/irsa/main.tf b/modules/irsa/main.tf
@@ -1,7 +1,10 @@
+data "aws_caller_identity" "aws_account" {}
+
 locals {
   oidc_provider_url = var.use_cluster_odc_idp ? var.eks_info.cluster.oidc.cert.url : aws_iam_openid_connect_provider.this[0].url
   oidc_provider_arn = var.use_cluster_odc_idp ? var.eks_info.cluster.oidc.arn : aws_iam_openid_connect_provider.this[0].arn
   name_prefix       = var.eks_info.cluster.specs.name
+  aws_account_id    = var.use_cluster_odc_idp ? var.eks_info.cluster.specs.account_id : data.aws_caller_identity.aws_account.account_id
 }
 
 resource "aws_iam_openid_connect_provider" "this" {

diff --git a/modules/irsa/outputs.tf b/modules/irsa/outputs.tf
@@ -12,3 +12,14 @@ output "external_dns" {
     external_dns_use_eks_idp = var.use_cluster_odc_idp
   } : null
 }
+
+output "flyte" {
+  description = "Flyte info"
+  value = var.flyte.enabled ? {
+    eks = {
+      account_id            = local.aws_account_id
+      controlplane_role_arn = aws_iam_role.flyte_controlplane_role[0].arn
+      dataplane_role_arn    = aws_iam_role.flyte_dataplane_role[0].arn
+    }
+  } : null
+}
diff --git a/modules/irsa/variables.tf b/modules/irsa/variables.tf
@@ -3,6 +3,7 @@ variable "eks_info" {
     cluster = {
       specs {
         name            = Cluster name.
+        account_id      = AWS account id where the cluster resides.
       }
       oidc = {
         arn = OIDC provider ARN.
@@ -16,7 +17,8 @@ variable "eks_info" {
   type = object({
     cluster = object({
       specs = object({
-        name = string
+        name       = string
+        account_id = string
       })
       oidc = object({
         arn = string
@@ -69,3 +71,18 @@ variable "additional_irsa_configs" {
     error_message = "Invalid json found in policy"
   }
 }
+
+variable "flyte" {
+  description = <<EOF
+    enabled = Whether to provision any Flyte related resources
+    eks = {
+      controlplane_role = Name of control plane role to create for Flyte
+      dataplane_role = Name of data plane role to create for Flyte
+    }
+  EOF
+  type = object({
+    enabled = optional(bool, false)
+  })
+
+  default = {}
+}